I have an Ubuntu 10.04 Linux server that I normally ssh into (from my home machine) using ssh key authentication. However, sometimes I need to ssh remotely from potentially insecure machines (like internet cafes, public computers at the library, etc) on which my password could become compromised. In this case, I'd want to use a one-time password system like OTPW or Steve Gibson's Perfect Paper Passwords.

How can I configure my server to first check for ssh keys, then use an OTPW system for authentication? (Would I have to make two users?)

Edit: sorry for answering my own question! (The other two answers are great, but don't completely answer the question. But still very helpful!)

The OTPassword Pluggable Authentication Module implements Steve Gibson's Perfect Paper Password system in a PAM for Linux. Once you install that, you'll have PPP authentication. But what about a ssh keys bypass? An FAQ on their site answers this question:

If you have a trusted machine from which you often log into your remote system use ssh keys. Generate them with ssh-keygen, and copy your new ~/.ssh/id_rsa.pub into ~/.ssh/authorized_keys on remote computer. When SSH authenticates user with keys it omits PAM.

Conveniently automatic!

Edit: Google Authenticator and Duo Security also seem like good solutions. They don't provide one time passwords on paper; instead they use your smartphone to generate a constantly changing TOTP key. (Duo Security also works with dumbphones by sending them a text message with a couple of one time passwords. However Duo Security is not local; you must rely on their servers...)

Also, Barada is another solution that looks promising; instead of paper one-time passwords, it uses a smartphone to generate the password from a PIN you supply. If you are on a trusted system you can just enter your standard password.
–
mr_schlomoDec 28 '11 at 19:31

There are many options you can set here review the man page for the full set of options available.

I would recommend setting up a group just for ssh permissions.

The following flag is also strongly recommend:

PermitRootLogin no

This will get the daemon to request a password if the key is not sent/reconigized. You can add the hurdle of OTPW if you like but you are theoretically in an encrypted environment so it shouldn't strictly be necessary. Having looked at the OTPW information you linked the code seems to have last been updated 2003 I would be loathe to use it, without getting some peer review. Secure coding practices and indeed the whole environment have changed a lot since then.

Although this method doesn't check for 1 method of authentication, it does solve the problem of logging in from insecure/not-trusted machines using OTP.

To configure the SSH daemon to listen on multiple ports (one for public key authentication and the other for OTP authentication), simply add another port number to the sshd_config file, i.e.

Port 22 # For key-based auth
Port 60000 # For OTP-based auth

The 2-FA is based on Google’s 2-step authentication technology. To install the library and the program:

$ sudo apt-get install libpam-google-authenticator

Meanwhile, install the Google Authenticator app on your smartphone. Once installed, from the terminal, start up the program:

$ google-authenticator

This will give you a barcode, a secret and a bunch of scratch codes. KEEP THEM SAFE!!! If you don’t have access to your phone or otherwise need emergency access these codes will be your only way in. Don’t underestimate how important this backup mechanism is. It might screw you in the long run.
Configure the PAM module to use Google Authenticator:

$ sudo nano /etc/pam.d/sshd

To disable password login therafter, put a # in front of the line @include common-auth. Also, to the bottom of the file, add:

auth required pam_google_authenticator.so

To enable OTP authentication:

$ sudo nano /etc/ssh/sshd_config

Find the line with the phrase: ChallengeResponseAuthentication and change it from “no” to “yes”.

Set PermitRootLogin no and PasswordAuthentication no.

At the end of the file, use the “match” parameter to determine which authentication mechanism(s) have to be used to access the machine from that port, for example:

The parameter “keyboard-interactive:pam” forces the SSH daemon to go to the PAM module daemon (configured under /etc/pam.d/sshd) and authenticate as specified there (hence the need to disable password login from the PAM module as well, by hashing out the common-auth line).
Don’t forget to restart your SSH daemon for the changes to take effect:

$ sudo /etc/init.d/sshd restart

Then, when at a non-trusted machine, simply SSH into port 60000 (or whatever you set) and use OTP to authenticate.